Configure the Kerberos client

Although the trusted Kerberos principal can be referred to as a Kerberos service principal, it is acting on the client-side of the Kerberos authentication transaction, and needs a Kerberos client for KCD.

Synchronize to Avoid Replay Errors at Service: If API Gateway is running on Windows, select this option, and enter the time to pause in milliseconds (for example, 15). If API Gateway is running on UNIX/Linux, deselect this option to improve performance.

Deploy the configuration

To deploy the configuration to API Gateway, click the Deploy icon.

You have now configured and deployed a simple KCD policy for SPNEGO authentication where API Gateway acts as the trusted Kerberos principal for KCD. The end user application that invokes this policy in API Gateway must provide authentication credentials to satisfy the chosen non-Kerberos authentication mechanism.

For demonstration purposes, you can add API Gateway as the back-end service as well as sample users. See Configure a KCD demo setup.